|
|
@ -114,9 +114,8 @@ |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\vfill |
|
|
\vfill |
|
|
\begin{block}{Example: Capturing traffic from \texttt{eth0}} |
|
|
\begin{block}{Example: Capturing traffic from \texttt{eth0}} |
|
|
\lstinputlisting[language=bash,numbers=none]{sources/tcpdump.sh} |
|
|
\lstinputlisting[language=bash,numbers=none,linerange={1-1}]{sources/tcpdump.sh} |
|
|
\end{block} |
|
|
\end{block} |
|
|
|
|
|
|
|
|
\end{frame} |
|
|
\end{frame} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -124,35 +123,54 @@ |
|
|
\begin{frame} |
|
|
\begin{frame} |
|
|
\frametitle{Wireshark} |
|
|
\frametitle{Wireshark} |
|
|
\begin{itemize} |
|
|
\begin{itemize} |
|
|
\item How do you capture the traffic? |
|
|
\item Open a \texttt{.dump} file OR capture from NIC |
|
|
|
|
|
\item Filter traffic |
|
|
\begin{itemize} |
|
|
\begin{itemize} |
|
|
\item tcpdump (CLI) |
|
|
\item Big variety of supported protocols |
|
|
\item Wireshark (GUI) |
|
|
\item Filter rules down to single bits of a protocol possible |
|
|
|
|
|
\item Where should I start? |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\vfill |
|
|
|
|
|
\begin{block}{Example: Capturing traffic from \texttt{eth0}} |
|
|
|
|
|
\lstinputlisting[language=bash,numbers=none]{sources/tcpdump.sh} |
|
|
|
|
|
\end{block} |
|
|
|
|
|
|
|
|
|
|
|
\end{frame} |
|
|
\end{frame} |
|
|
|
|
|
|
|
|
\section{Wireshark} |
|
|
|
|
|
\begin{frame} |
|
|
\begin{frame} |
|
|
\frametitle{Wireshark} |
|
|
\frametitle{Wireshark} |
|
|
\begin{itemize} |
|
|
\begin{itemize} |
|
|
\item Find the interesting parts in a dump: Filter packets |
|
|
\item Find the interesting parts in a dump: Filter packets |
|
|
\begin{itemize} |
|
|
\begin{itemize} |
|
|
\item tcpdump (CLI) |
|
|
\item by IP address, |
|
|
\item Wireshark (GUI) |
|
|
\item port number, |
|
|
|
|
|
\item protocol flag, |
|
|
|
|
|
\item \ldots |
|
|
|
|
|
\end{itemize} |
|
|
|
|
|
\item \texttt{Menu->Analyze->Follow->* Stream} |
|
|
|
|
|
\begin{itemize} |
|
|
|
|
|
\item Displays the payload of one connection (SYN to FIN) |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\end{itemize} |
|
|
\vfill |
|
|
\vfill |
|
|
\begin{block}{Example: Capturing traffic from \texttt{eth0}} |
|
|
\begin{block}{Example: Filtering packets in Wireshark} |
|
|
\lstinputlisting[language=bash,numbers=none]{sources/tcpdump.sh} |
|
|
\lstinputlisting[language=bash,numbers=none,linerange={2-4}]{sources/tcpdump.sh} |
|
|
\end{block} |
|
|
\end{block} |
|
|
|
|
|
|
|
|
\end{frame} |
|
|
\end{frame} |
|
|
|
|
|
|
|
|
|
|
|
\section{Conclusion} |
|
|
|
|
|
\begin{frame} |
|
|
|
|
|
\frametitle{Conclusion} |
|
|
|
|
|
\begin{itemize} |
|
|
|
|
|
\item TCPdump can also handle filter rules (same syntax) |
|
|
|
|
|
\end{itemize} |
|
|
|
|
|
\begin{block}{Example: TCPdump with filter rule} |
|
|
|
|
|
\lstinputlisting[language=bash,numbers=none,linerange={5-5}]{sources/tcpdump.sh} |
|
|
|
|
|
\end{block} |
|
|
|
|
|
\begin{itemize} |
|
|
|
|
|
\item TCPdump man page:\\ |
|
|
|
|
|
\url{www.tcpdump.org/manpages/tcpdump.1.html} |
|
|
|
|
|
\item Wireshark User's Guide: \\\url{www.wireshark.org/docs/wsug_html_chunked} |
|
|
|
|
|
\end{itemize} |
|
|
|
|
|
\end{frame} |
|
|
|
|
|
|
|
|
|
|
|
\section{Happy Dumpster Diving!} |
|
|
|
|
|
|
|
|
\end{document} |
|
|
\end{document} |
|
|
|
